Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cant make PORT FORWARDING work on WAN2 (dual wan pfsense)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    7 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spyshagg
      last edited by

      hi

      Two gateways connected to pfsense. Wan1 and Wan2

      NAT port forwarding works well from WAN1 -> Pfsense -> server

      NAT port forwarding fails from WAN2 -> pfsense -> server

      The server (filezilla) complains of:

      Connected, sending welcome message…
      Could not send reply, disconnected

      It seems Pfsense is either trying to reply using a wan gateway different from the one used to receive the ports, or is just blocking outgoing packets to wan2.

      The inbound connections is working well:  client -> wan2 -> pfsense -> server
      The outbound connection is failing:  server -> pfsense -> ??? -> client

      Hence, why filezilla server recognizes a new connection but fails with "could not send reply"

      Do i need to use manual outbound Nat for dual wan configurations? Its in auto right now.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I don't think you can set up a passive FTP server to intelligently deal with multi-wan like that. It has to tell the client which IP address to connect to and it has no way of knowing which WAN the connection came from.

        You might have to run two servers looking at the same data files.

        But it shouldn't just fail if the client connection comes in over the other WAN either.

        FTP sucks.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          spyshagg
          last edited by

          The example I gave are two separate servers, each is configured to only use either wan1 or wan2. Its not meant to be using two wans at the same time.

          Anyway, I plugged the fiber cables directly to Pfsense bypassing the draytek routers.  Port forwarding is now working well with both wan1 and wan2 connected directly to pfsense.

          My question about outbound NAT remains.  Pfsense is using carp ip addresses and the manual says I should setup an outbound NAT rule pointing each lan to the wans carp address.  I have no such thing and yet everything seems to work fine?

          cheers

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Oh. You didn't mention outside "draytek" routers in your OP.

            If your outbound nat entries are set to use WAN address instead of the CARP VIP it will work fine until it fails over. They you won't have state sync and everyone will have to reconnect. Same goes for your inside hosts. They should be using the CARP VIP as their default gateway.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              spyshagg
              last edited by

              @Derelict:

              Oh. You didn't mention outside "draytek" routers in your OP.

              If your outbound nat entries are set to use WAN address instead of the CAP VIP it will work fine until it fails over. They you won't have state sync and everyone will have to reconnect.

              Oh I see, they apply only to failover. Thanks!

              Also, before I created two new interfaces to accommodate the two new WANS directly on pfsense, I could see under Manual Outbound NAT rules pointing all my existing lans to the existing Wan interfaces.  But now that I created two new wan accesses, they are not showing up under Manual Outbound NAT, only the wans that already existed…  I pushed save many times but they still dont show up.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Outbound NAT rules do not "point anything" anywhere. They do not route traffic.

                They determine what happens to the source address and port when traffic is already routed out that interface by the routing table, policy routing, etc. As in, "If the traffic source matches this, translate the source address and port like this on the way out this interface."

                If you are in manual outbound NAT mode it means just that: manual. You have to create all outbound NAT rules. Creating an interface will do nothing there.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • S
                  spyshagg
                  last edited by

                  @Derelict:

                  Outbound NAT rules do not "point anything" anywhere. They do not route traffic.

                  They determine what happens to the source address and port when traffic is already routed out that interface by the routing table, policy routing, etc. As in, "If the traffic source matches this, translate the source address and port like this on the way out this interface."

                  If you are in manual outbound NAT mode it means just that: manual. You have to create all outbound NAT rules. Creating an interface will do nothing there.

                  When going from auto NAt to manual Nat pfsense created all rules for me to see.  I'm just saying that after creating two new WAN interfaces and doing Auto NAT -> Manual Nat again, the new interfaces are not showing up automatically like all others did.

                  I don't know if it is a bug, or if they do exist and by creating them manually I will be duplicating them because they simply are not visible (but exist)

                  But thanks, you explained what I needed to know :)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.